Over the next few days, Net Politics will countdown the top five developments in cyber policy of 2014. Each policy event will have its own post, explaining what happened, what it all means, and its impact on cyber policy in 2015. In this post, corporate cyberattacks.
Sharone Tobias is the research associate for Asia studies and the Digital and Cyberspace Policy program at the Council on Foreign Relations.
While Sony may have dominated the news towards the end of 2014, three major cyberattacks against U.S. companies shook the corporate world earlier this year: Target opened the year by announcing in January that hackers had stolen personal information from an estimated 110 million accounts; hackers accessed approximately 83 million J.P. Morgan Chase accounts in August; and Home Depot confirmed that its payment system was breached in September, compromising an estimated 56 million accounts. Here’s a look back at the details of each of those attacks, and how they affected the conversation about cybersecurity in the United States and the corporate sector.
Target announced in January that hackers had stolen data—including names, mailing addresses, phone numbers, and email addresses—from over 70 million shoppers, and the credit card information of 40 million shoppers. 1 to 3 million of those credit cards were then sold on the black market, raising an estimated $53.7 million for the hackers. The attack caused enormous damage to Target’s reputation and stock prices, resulting in the resignation of Beth M. Jacob, the company’s most senior technology officer in February, and Gregg Steinhafel, CEO and chairman of the board, in May. Target executives were summoned to appear before congressional panels about data privacy, and executives admitted that they had missed certain warning signs about security gaps. Experts say that Target left itself particularly vulnerable to attack, ignoring memos circulated by the federal government and research firms suggesting that new malware was targeting Target’s payment system, allowed too much access to vendors, and did not do enough to wall its payment system off from the rest of its network.
The attack cost Target $148 million, and cost financial institutions $200 million, according to the Consumer Bankers Association and the Credit Union National Association. The company announced a timetable to move its debit and credit cards to a chip-and-pin system, widely used in Europe but still rare in the United States. The chip-and-pin system is considered more secure than credit cards that rely on magnetic strips, and the move will cost Target $100 million. The company also spent $61 million in anti-breach technology in the months following the cyberattack, and profits fell 46 percent in the fourth quarter of 2013.
J.P. Morgan Chase
In August, the networks of several banks, most prominently J.P. Morgan Chase, were infiltrated by a network of hackers who accessed checking and savings account information. The attack went unnoticed for two months over the summer. J.P. Morgan estimated that 76 million households and 7 million small businesses accounts were affected by the attack, although hackers weren’t able to access the most private data like Social Security or account numbers. Experts believe that Russian criminals were behind the attack. However, the origin of the attack is still far from settled, though the FBI officially ruled out the Russian government as a perpetrator.
Ultimately, though the infiltration was one of the largest known cyberattacks against a financial institution, the J.P. Morgan attack did not cost consumers much money. The data accessed was more related to J.P. Morgan’s marketing functions than banking functions. Even so, that kind of information allows hackers to write more effective spearphishing emails to trick Chase customers into giving out information. However, a recent report argues that the despite J.P. Morgan’s $250 million budget on cybersecurity, hackers were able to access the company’s servers because the security team had neglected to add two-factor authentication, an extra layer of security used by most big banks. This oversight might explain why other institutions targeted by the same hackers did not suffer nearly as large of an intrusion.
Home Depot confirmed in September that they had been infiltrated by hackers since April, admitting that 56 million accounts were put at risk, more than Target’s 40 million accounts. The company expected to pay $62 million to cover the costs of the attack, including legal fees and overtime for staff, and causing an estimated $90 million in costs for banks to replace 7.4 million debt and credit cards. Unnamed staff within Home Depot said that the company’s information security department struggled with high turnover and old software. The team resisted using the Endpoint security feature of Symantec’s cybersecurity program, a feature that tracks and alerts system administrators of suspicious activity, despite the urging of security consultants. The company also did not encrypt customer card data until September 2014.
Target, J.P. Morgan, and Home Depot were only three of many victims of cyberattacks in 2014; Staples, Healthcare.gov, Neiman Marcus, and many others also suffered cyberattacks that left customers vulnerable. Several similarities stand out between these and the Sony attack. First, in these attacks, the division of responsibility for the costs and defense is not clear. Even in the case of Home Depot and Target, where lapses in security were mainly the fault of retailers, financial institutions bore the brunt of the cost. Second, the attacks show the necessity of protecting the weakest links and access points, such as through vendor networks. Finally, and perhaps most surprisingly, customers just don’t seem to care that much about the security of their data—only a few months after these attacks, stock prices and sales returned to normal at Home Depot and Target.